Saturday, May 2, 2009

I mentioned about setupapi.log files in one of my posts a few months ago. Since that time a couple of good tools were released that makes my life easier when working with setupapi.log files.

One of such tools is called SetupAPI Extractor or SAEX. It is still in beta and is currently free. The tool only works with Win XP setupapi.log files and there is no support for Vista's setupapi.app.log and setupapi.dev.log files yet. The best thing about this tool is its ability to parse the log files and extract only
the information you need.

Another tool I often use to work with various log files including setupapi.log files is Mandiant Highlighter. It was previously mentioned on Cyberspeak and is free to download. It works with ANY text files and allows users to highlight relevant keywords or remove unrelated lines. In case of setupapi.log files, setup event id like #-199, #140 or placeholders such Device_Description, Manufacturer_Name or Hardware_ID can be either displayed or removed, making the information contained in Setupapi logs more manageable.

2 comments:

Great catch! I'll have to see about incorporating this, as I recently had an examination involving data exfiltration, and knowing when one particular device was first plugged in and last removed was invaluable!

Search other Digital Forensics blogs

About Me

Forensic Technology professional with diverse international experience managing and conducting Digital Investigations in both large and small organisations. A passionate computer security and digital forensics professional.

Disclaimer

This blog is intended for my digital forensic needs and shared with everyone interested to make our world a little bit safer. This is a personal weblog. The opinions expressed here represent my own and not those of my employer.
While all reasonable attempts have been made to ensure the accuracy of information on this blog, neither myself nor the blog’s contributors can be held responsible for any errors, inaccuracies, or incomplete information contained therein.
I reserve the right to correct, change, or update any information on this blog at any time without prior notice.